CCIE must know Intrusion Prevention System IPS
With the continuous improvement of network attack technology and the continuous discovery of network security vulnerabilities, traditional firewall technology plus traditional IDS technology can no longer cope with some security threats. In this case, intrusion prevention technology came into being. Intrusion prevention technology can deeply perceive and detect the data traffic flowing through, discard malicious packets to block attacks, and limit abuse packets to protect network bandwidth resources. .
Intrusion prevention is a security mechanism that analyzes network traffic, detects intrusions (including buffer overflow attacks, Trojan horses, worms, etc.), and uses certain response methods to stop intrusions in real time and protect enterprise information systems and network architecture from Infringe. Intrusion prevention is a new security defense technology that can detect and prevent intrusion behaviors. After detecting network intrusions, it can automatically discard intrusion messages or block the source of the attack, thereby fundamentally avoiding attack behavior.
Intrusion prevention is a new security defense technology that can detect and prevent intrusions. After detecting the network intrusion, it can automatically discard the intrusion message or block the source of the attack, thus fundamentally avoiding the attack.
The main advantages of intrusion prevention:
Real-time blocking of attacks: The equipment is deployed in the network in a straight path, and when an intrusion is detected, it can intercept intrusion activities and offensive network traffic in real time to minimize the intrusion to the network.
In-depth protection: Intrusion prevention can detect the content of the message application layer, and can also perform protocol analysis and detection on network data flow reorganization, and determine which traffic should be intercepted according to the attack type and strategy.
All-round protection: Intrusion prevention can provide protection measures against worms, viruses, Trojan horses, botnets, spyware, adware, CGI (Common Gateway Interface) attacks, backdoors, and other attacks to defend against all kinds of attacks and protect network security.
Both inside and outside: Intrusion prevention can not only prevent attacks from outside the enterprise, but also prevent attacks from inside the enterprise.
Generally speaking, IDS detects and alarms those abnormal and possibly intrusive data, informs users of real-time conditions in the network, and provides corresponding solutions and handling methods. It is a security function that focuses on risk management. Intrusion prevention detects those malicious behaviors that are clearly judged as attack behaviors that will harm the network and data, and terminate them in real time, reducing or reducing the user’s processing resources for abnormal conditions. It is a kind of focus on risk control. Security features.
Intrusion prevention technology adds powerful defense functions to traditional IDS:
Traditional IDS is difficult to prevent and block attacks based on the application layer. Intrusion prevention equipment can effectively defend against application layer attacks. However, because important data is mixed with too much general data, IDS can easily ignore real attacks, the rate of false positives and false negatives remains high, and there are too many logs and alarms. The intrusion prevention function can strip the message layer by layer, perform protocol identification and message analysis, classify the parsed message and perform professional feature matching to ensure the accuracy of detection.
IDS equipment can only passively detect what kind of attack the protection target is under. In order to prevent further attacks, it can only report to the FW through a response mechanism, and the FW can block the attack. Intrusion prevention is a proactive intrusion prevention and prevention system. When an attack attempt is detected, it will automatically drop the attack packet or block the attack source, effectively realizing the active defense function.
Intrusion prevention mechanism:
Reorganize application data: Before entering IPS, it will reorganize IP fragments and TCP streams to ensure the continuity of application layer data and effectively detect attacks that evade intrusion detection.
Protocol identification and protocol analysis: Before entering the IPS, a variety of application layer protocols are identified based on the content. Identify the application layer protocol pair, perform precise decoding according to the specific protocol, and deeply extract message characteristics for intrusion detection.
Feature matching: Match the parsed message feature with the signature, and if the signature is hit, it will respond accordingly.
Response processing: After the detection is completed, the matched signature will be responded to according to the action configured by the administrator.
IPS technology needs to face many challenges, among which there are three main points: one is a single point of failure, the other is a performance bottleneck, and the third is a false positive and a false negative. The design requires IPS to work in the network in embedded mode, which may cause bottlenecks or single points of failure. If the IDS fails, the worst case is that certain attacks cannot be detected, and the embedded IPS device has a problem, which will seriously affect the normal operation of the network.
Even if the IPS device does not fail, it is still a potential network bottleneck, which will not only increase the latency, but also reduce the efficiency of the network. IPS must keep pace with the network traffic of several gigabytes or more, especially when it is loaded. With a large number of detection signature libraries, IPS embedded devices with insufficient design cannot support this response speed.
The false positive rate and the false negative rate are also very important. Once an alarm is generated, the most basic requirement is that the IPS can effectively handle the alarm. If the intrusion signatures are not well-written, there is an opportunity for “false positives”, which may lead to accidental interception of legitimate traffic.
Get 100% accurate CCIE/ CCNP/CCNA/HCIE dumps in IELAB .
Please follow us if you like our articles.
visit us: http://ielab.network
Facebook : https://www.facebook.com/ielab.network/